Is There an ROI to Network Security?

A NetClarity, Inc. White Paper




NetClarity, Inc.
54 Middlesex Turnpike, Building C
Bedford, Massachusetts, USA 01730
Tel: 781-276-4555
Fax: 781-276-1569
http://www.netclarity.net













Is There an ROI to Network Security?












By Gary S. Miliefsky, CISSP®
Founder & CTO


2007 Edition

---

Contents
Introduction

Can we find an ROI in Network
Introduction
3
Security?

The ROI Formula
3
The Risk Formula
4
The ROI Formula
K n o w th is fo rm u la a nd yo u ’re o n the
Real-World Scenario
4
right track.
Credits
5

About the Author
6
The Risk Formula
Copyright Notice
6
Incorporating risk into the equation will
Contact Information
6
help you create a Network Security ROI
formula.



Real-World Scenario
Let’s see these formulas in action and
prove there is an ROI to Network
Security.

---

INTRODUCTION
Network Security equipment over the
last few years, this argument that there
There's a very strong argument
is no ROI - it's just a cost of doing
that Network Security costs boat
business starts to sound like it has
loads of money and provides no
merit. In fact, even after spending all
return on investment. Your CFO
this money, so many organizations
might be convinced that the IT
experienced expensive downtime - due
equipment purchases as well as
to hackers, viruses, worms, spyware,
IT staff time spent configuring
spam and malicious insiders. So,
and managing your entire
where's the ROI in Network Security?
network is just another hefty cost
of doing business. When it
THE ROI FORMULA
comes to network security in
particular, the CFO is probably
In mathematical terms, the arithmetic
even more certain that it's a big
return of ROI is defined as the following:
expense with no return. It's
probably looked at as some kind
of costly insurance policy to help
show that you both are taking

necessary measures to protect
your business.
This return has the following
characteristics:
The argument might be "when did
an alarm system or the lock on

when the
the front door return money back
final value is twice the initial value
to us?" These are physical
 ROIArith > 0 when the investment
security measures that everyone
is profitable
has to take in due care to keep
 ROIArith < 0 when the investment
intruders out or help keep honest
is at a loss
people honest. Ok, so you could

when
claim it returned a little bit back to
investment can no longer be
you, because you received a
recovered
discount on your insurance policy
for proactively taking these
Interestingly, to compensate for a
simple precautions to keep out
negative ROI, one needs a positive ROI
the intruders. But is there an ROI
that is higher in magnitude. For
to spending thousands on
example, to recoup a 50% loss one
insurance and saving only a few
needs to realize a 100% gain (source:
hundred bucks for having bolted
Wikipedia.org).
your doors and alarmed your
windows?
A simpler formula for ROI that takes into
Knowing that organizations spent
account annual returns is as follows
over $10B USD worldwide on
(source: NucleusResearch.com):
Page | 3

---

ROI = ((net year 1 + net year 2 +
to Network Security. Before you can
net year 3) / 3 / initial cost) X
measure it to prove it to your CEO, CFO
100%
or the Board, first you need to have my
crash course on risk assessment and
So, typically, ROI is looked at by
then we'll tie it all together.
the monies generated as net
income. If you spend money on

equipment, usually there's a total
cost of ownership (TCO)
THE RISK FORMULA
attributed but not an ROI, or
better yet, the ROI is below
My crash course on risk assessment is
100%, so it's a loss not a profit.
easy:
As a result, this kind of
equipment can get written off
R = T x V x A
over time as a capital expenditure
- in other words a 'cost center.'
That is, (R)isk is equal to the number of
(T)hreats against your organization,
Here's an example using the
multiplied by the number of
simple formula around hiring a
(V)ulnerabilities you have and then by
sales person who goes out in the
the number of assets.
field and generates a net income
for his company. Let's say the
Threats, Vulnerabilities and Assets are
TCO for this employee is $100k
all weighted by how serious the threat,
per year (salary, bonus,
vulnerability and how valuable the asset.
overhead), he brings in a net of
$100k, $150k and $200k in
revenues over a 3 year period):
REAL-WORLD SCENARIO
ROI = (($100k + $150k +
Here is a for instance: What is the risk
$200k)/3/$100k) x100% so...
that your salesperson will not meet his
quota of $100k in year one, $150k in
ROI = (($450k)/3/$100k) x100%,
year two and $200k in year three from
which equals 150% - that makes
the example above if at the end of every
sense, you spent 300k but it
quarter, the mail server goes offline, the
returned you 450k so the ROI is
network fax server won't send out
150% which is good. If the ROI
quotes and invoices or accept inbound
is below 100% then you are
purchase orders because these servers
losing money. Makes sense,
were operating in a Risky environment
right?
that was constantly hammered by
hackers, viruses and worms (Threats)
Now that we've completed the
which were easily exploiting the
ROI crash course, I'm going to
weaknesses in your network
turn the tables and show you that
(Vulnerabilities) and taking these
there is indeed a POSITIVE ROI
servers offline (Assets). At that moment
Page | 4

---

in time, productivity dropped,
Let's take away Network Security and
revenues couldn't be booked and
now factor in downtime, lost productity,
the ROI for sales fell below
unhappy customers and lost revenues:
100%.
ROI = (($10M + $9M + $8M)/3/$10M
So what do you do to get this
TCO Sales team only) x100% so...in
sales person's ROI over the
this case your ROI is 90%. You spent
100% mark, you implement
only $10M, shaving $2M by not having
strong Network Security by
the CIO, IT Staff and Network Security
creating policies about who can
expenses, but your risk was high and
come and go in your network and
the experience of downtime cost you
what kind of traffic can flow to
important revenues. As a result you
and from these critical assets. In
earned $9M and spent $10M on
addition, you deployed apparently
average. What does that do to your
costly network security
business? It puts you out of business.
equipment like firewalls, vpns, ids
systems, anti-virus, anti-spam
There is absolutely an ROI for good
and anti-spyware. You began to
Network Security.
more frequently self-audit your
own Risk profile until you reduced
What is the end result of your actions?
your level of Risk to an
acceptable level - no more mail
Ultimately, by investing up front in best
and fax server downtime.
practices and the necessary tools for
good Network Security, you were able to
Now, let's say you had 100 sales
ensure higher revenues and profitability.
people bringing in 150% and the
Doing it right means more uptime, more
TCO of Network Security is now
productivity and smoother sailing
factored into this equation:
through each quarter.
ROI = ((net year 1 + net year 2 +

net year 3) / 3 / initial cost) X
100%

ROI = (($10M + $15M +
CREDITS:
$20M)/3/[$10M TCO Sales team

+ $2M TCO CIO's Team and all
Thanks to numerous NetClarity, Inc.
Network Security expenditures])
customers for their time and
x100% so...
suggestions for this document. Thanks
also to http://www.SearchCIO.com for
ROI = you spent 12M but it
providing information on their web sites
returned you 15M so the ROI is
and for publishing my short article on
150% which is good.
this topic.

Page | 5

---

About the Author:
Mr. Miliefsky holds six e-commerce

patents and has seven network security
patents pending, including one about
Proactive Network Security Using RSS.
He maintains a Blog about IT Security
Tips, Trends and News at
http://netclarity.blogspot.com.




COPYRIGHT NOTICE:
Gary S. Miliefsky, CISSP®


All rights reserved. Printed in the United
Founder & CTO
States of America. No part of this
NetClarity, Inc.
Whitepaper may be reproduced in any

form and by any means without prior
Gary Miliefsky has 20+ years
written permission of NetClarity, Inc.
experience as an entrepreneur,
Making copies for any other use than
computer scientist and trained
backup purposes is a violation of US
security professional. He has
and International copyright laws.
been CEO and/or CTO of 3 start-
Copyright © 2006, NetClarity, Inc.
up ventures.



Mr. Miliefsky is a founding
CONTACT INFORMATION:
member of the Department of

Homeland Security,
Feel free to visit Gary online at
http://www.usdhs.gov/.
http://www.netclarity.net. If you have
He currently serves as an advisor
any questions about this paper, please
to MITRE Corporation at
send an email to support@netclarity.net.
http://oval.mitre.org/ and is a

member of the New England
NetClarity, Inc.
Info rm a tion S e cu rity G ro u p ’s
54 Middlesex Turnpike, Building C
Board of Directors, found at
Bedford, Massachusetts, USA 01730
http://www.neisg.org/. He

received his undergraduate
Tel: 781-276-4555
degree from UMASS Lowell in
Fax: 781-276-1569
Computer Science and
SKYPE: netclarity
subsequently earned certification

as a CISSP®.
Web: http://www.netclarity.net/





Page | 6

---